|
E-mail Security
Problems
The Internet is
an expansive
network of
computers, much
of which is
unprotected
against
malicious
attacks. From
the time it's
composed to the
time it's read,
e-mail travels
along this
unprotected
Internet,
perpetually
exposed to
electronic
dangers.
Many users
believe that
e-mail privacy
is inherent and
guaranteed,
psychologically
equating it with
postal mail.
While e-mail is
indeed
conventionally
secured by a
password system,
the one layer of
protection is
not secure, and
generally
insufficient to
guarantee
appreciable
security.
Businesses are
increasingly
relying on
electronic mail
to correspond
with clients and
colleagues. As
more sensitive
information is
transferred
online, the need
for e-mail
privacy becomes
more pressing.
Because e-mail
connects through
many routers and
mail servers on
its way to the
recipient, it is
inherently
vulnerable to
both physical
and virtual
eavesdropping.
Current industry
standards do not
place emphasis
on security;
information is
transferred in
plain text, and
mail servers
regularly
conduct
unprotected
backups of
e-mail that
passes through.
In effect, every
e-mail leaves a
digital paper
trail in its
wake that can be
easily inspected
months or years
later. The
e-mail can be
read by any
cracker who
gains access to
an inadequately
protected
router.
The receivers of
e-mail can
compromise
e-mail privacy
by
indiscriminate
forwarding of
e-mail. This can
reveal contact
information
(like e-mail
addresses, full
names, and phone
numbers, and
attachments).
Criticisms of
E-mail for use
in Accounting
Industry
E-mail privacy,
without some
security
precautions, can
be compromised
because:
1. E-mail
messages are
generally not
encrypted;
2. E-mail
messages have to
go through
intermediate
computers before
reaching their
destination,
meaning it is
relatively easy
for others to
intercept and
read messages;
3. Many
Internet
Service
Providers
(ISP) store
copies of
your e-mail
messages on
their mail
servers
before they
are
delivered.
The backups
of these can
remain up to
several
months on
their
server, even
if you
delete them
in your
mailbox;
4. Headers
and other
information in
the e-mail can
often identify
the sender,
preventing
anonymous
communication.
5.
Another risk is
that e-mail
passwords might
be intercepted
during sign-in.
Postal Mail
Security
Problems
The security
vulnerabilities
regarding postal
mail are
numerous and
quite obvious.
While the U.S.
Postal system is
supported by
many legal
provisions
governing the
individual
privacy rights
of citizens, it
should be noted
that this system
is largely
protected by the
honor and ethics
of persons with
access to mail
contents.
While it is not our intention to
cast doubt on the integrity of
the many diligent and
responsible persons working in
the mail industry, (US Postal,
FedEX, UPS, etc.), it is
prudent to acknowledge the risks
associated with this medium and
to note that laws written to
protect privacy are merely
reactive punitive measures
functioning only as a deterrent
at best and provide little to no
active protection or prevention
of this particular crime.
Persons who attempt to exploit
the vulnerabilities of postal
mail do so, in most cases, in an
attempt to commit future crimes
of a fraudulent nature and
generally regard the legal
ramifications of mail fraud
minor as compared to the spoils
of a "successful" ploy of
identity theft or some other
such venture.
Criticisms of
Postal Mail for
use in
Accounting
Industry
1. Cost of
postage;
especially when
mailing time
sensitive
information
where overnight
services are
needed.
2. When sending contents
on CD, Floppy, DVD, etc., there
are higher than average breakage
issues that render the media
unreadable in corresponding
drives, thus causing further
delay.
3. Lack of proactive
security protections.
4. Slow transport times as
compared to electronic
transfers.
FTP Security
Problems
The original FTP
specification is
an inherently
insecure method
of transferring
files because
there is no
method specified
for transferring
data in an
encrypted
fashion. This
means that under
most network
configurations,
user names,
passwords, FTP
commands and
transferred
files can be
"sniffed" or
viewed by anyone
on the same
network using a
packet sniffer.
Criticisms of
FTP for use in
Accounting
Industry
1.
Passwords and file contents are
sent in clear text, which can be
intercepted by eavesdroppers.
There are protocol enhancements
that circumvent this.
2.
Multiple TCP/IP connections are
used, one for the control
connection, and one for each
download, upload, or directory
listing. Firewall software needs
additional logic to account for
these connections.
3.
It is hard to filter active mode
FTP traffic on the client side
by using a firewall, since the
client must open an arbitrary
port in order to receive the
connection. This problem is
largely resolved by using
passive mode FTP.
4.
It is possible to abuse the
protocol's built-in proxy
features to tell a server to
send data to an arbitrary port
of a third computer.
5.
FTP is a high latency protocol
due to the number of commands
needed to initiate a transfer.
6.
No integrity check on the
receiver side. If transfer is
interrupted the receiver has no
way to know if the received file
is complete or not. It is
necessary to manage this
externally for example with MD5
sums or cyclic redundancy
checking.
7.
No error detection. FTP relies
on the underlying TCP layer for
error control, which uses a weak
checksum by modern standards.
8.
No date/timestamp attribute
transfer. Uploaded files are
given a new current timestamp.
There is no way in the standard
FTP protocol to set the
time-last-modified (or
time-created) date-stamp that
most modern file-systems
preserve. There is a draft of a
proposed extension that adds new
commands for this, but as of
yet, most of the popular FTP
servers do not support it.
This mechanism is vital to
accurate audit reporting of file
transfer activity.
|
|
